Two Factor Authentication - Security Beyond Passwords

Successful multi factor authentication includes three possible factors.

Gary Glover, Director of Security Assessments at SecurityMetrics
By: Gary Glover
Passwords alone have been shown to provide poor protection to our sensitive data, especially over the past few years. Many reasons contribute to this, but the biggest is probably the attacker’s growing ability to test and retest different passwords over and over until succeeding. This is known as brute-force password cracking.
two factor authentication
According to Fast Company, brute-force password-hacking methods can churn through billions to hundreds of billions of passwords per second.

August 2014 revealed that Russian hackers stole 1.2 billion passwords. In September 2014, 5 million usernames and passwords were leaked on a Russian Bitcoin forum. In February 2015, 10 million passwords were released by a security researcher to show how easy it is to gain access to stolen credentials. How many of you use the same password for multiple accounts?

So…if hackers have a giant online bank of passwords, how are we supposed to keep our information safe through username and password authentication? Luckily the technology to assist us already exists.  It’s called two factor authentication.

SEE ALSO: 2 Things You Should Know about PCI 3.2 Multi-Factor Authentication Updates

What is two factor authentication? 

Two factor authentication, also abbreviated as TFA or 2fa, is an extra layer of security during the authentication process. Two independent methods of authentication are required to access an application, network, or computer. This ensures you (and only you) gets access to sensitive information.

subscribe to for more data security articles

Without two factor authentication, you are required only to enter a username and password. The password is the only factor of authentication, and as we know, passwords are just waiting to be hacked.

To qualify, 2fa must contain two of the following factors:
    what is two factor authentication
  • Something you know. This means some sort of memorized information, such as a password or answer to a secret question. (FYI - A username doesn’t count.)
  • Something you have. You must have in your possession a unique item containing secret information, such as a bar code, RSA token, or cell phone, which gives you a new code for each login. The major drawback here is that you have to carry this physical token around all the time. 
  • Something you are. This means you must have a physical trait converted to digital information using specialized hardware, such as fingerprint, voice recording, typing patterns, finger lengths, iris scan, etc.
Multi Factor Authentication

Here are three real-world applications:
  • At the gas pump: When you use your credit card at a gas pump, it often asks for your ZIP code to authenticate. This example uses the “something you have” [your credit card] and “something you know” [your ZIP code] factors.
  • At the ATM: To withdraw money from the ATM, you have to insert your card AND enter your 4-digit PIN. This example uses the “something you have” [your debit card] and “something you know” [your PIN] factors.
  • At work: An employee must scan his ID badge, and his fingerprint to gain access to sensitive areas of a data center. This example uses the “something you have” [employee ID badge] and “something you are” [employee fingerprint] factors.

Learn how to enable two-factor authentication online.

Examples of two factor authentication in practice

  • You enter your username and password to a third party remote access service and call in to the onsite location IT department to have them also login and grant you one time access (often requires them to give you a PIN verbally to receive access). They verify your identity, and you are authorized for access.
  • You enter a password and then the remote access application sends your cell phone a unique PIN that expires in 60 seconds. You enter the PIN into the remote access application and gain access.
  • You enter your username and password, and the system prompts you for a unique dynamic number found on an electronic device in your possession (key fob, Google authenticator on smart phone, etc.)
  • You enter your username and password, and the system prompts you for a biometric value (like a fingerprint), and you touch the fingerprint reader.

Two factor authentication myths

There are a lot of problems people run into when configuring two-factor authentication.
Here are the top three myths I see when helping people configure multi factor authentication at their business.
1. We’ll just use two separate passwords for our two factors. That will be extra secure!
FALSE! More of the same factor does not automatically create two factor authentication, or extra security. You can’t use two passwords as your two factors. You can’t use a password and a security question as your two factors. You can’t use two SMS text codes as your two factors. You must configure two different factors of authentication (see list of possible factors above) to qualify as two factor authentication.

2. If I turn on two-factor authentication, I’m unhackable.
FALSE! Multi factor authentication improves security in a huge way, but it doesn’t make your business invincible. For example: Say you use a password and SMS text as your two factors. What if a hacker steals your phone and knows your password? What if your factor relies on a third party security? Remember when RSA tokens were breached in 2011? Security is never perfect.

3. Two factor authentication isn’t worth it.
FALSE! Yes, two-factor authentication makes it a bit more inconvenient to login, and it’s not impenetrable. But…it also bumps up the security. It’s also important to note that two-factor authentication is a PCI DSS requirement. (Requirement 8.3) If you use a two-factor authentication, a hacker has to obtain two forms of authentication, instead of just your password. Data is useless to an attacker without the second factor.
Two-factor authentication

Applications that should use two-factor authentication

Not all your online accounts, hardware, and software will have the ability to be configured for two-factor authentication, but many do. The following is a list of applications that (if possible) should be configured with two-factor authentication where possible:
  • Remote access technologies
  • Cloud storage used for sensitive documents
  • Email accounts
  • Social media (Twitter, Facebook, etc.)
  • Bank login
  • Cloud computing administration interfaces
  • Hosting services
  • Password management tools
  • Anything else with sensitive data you want to protect….
Some sites that use two-factor will also alert you via email or text message if someone tries to log into your account using a device they don’t recognize, or when an incorrect password is entered.

Here’s a list of sites that support two factor authentication.

SEE ALSO: INFOGRAPHIC: Cybercriminals Love When You Use Remote Access

The future of authentication

Is two-factor authentication perfect? No, but it does make a hacker’s job more difficult. It is a necessary layer of protection for your data.

In the future, multi factor authentication will make single-factor passwords obsolete. In addition, many more second factor options will be available for authentication, such as vein scanners and microchip implants.

Perhaps attackers will become so advanced in the future that three-factor authentication will be the new norm. But for now, two steps is a small effort businesses can and should take for greater security.

Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.

Securitymetrics data security learning center